Kevin Duffey wrote:
> Hi,
>
> I was wondering, following the Struts framework, Model 2, etc..since
> servlets merely map the JSP extension to their own incarnation of
> JSPServlet, is it possible to map all JSP pages to my ControllerServlet (or
> for that matter, the controller servlet of the Struts framework), so that I
> could place security abilities and other things (making sure pages they try
> to access are allowed..if they are logged in or not, etc)? If so, is there a
> lot involed in such a task? I know I could just remap the servers JSP
> mapping, but I am wondering if it makes more sense to just comment out their
> mapping, and put the JSP mapping into my web.xml for my application..or can
> I leave the servers there, but map it anyways..and my web.xml mapping would
> override the servers?
>
Mapping the JSP extension to your controller servlet means that you have to do
everything the JSP servlet would have done (compile the page if the source is
newer, execute the corresponding servlet, and so on). This is not for the faint of
heart :-).
If you are building your app for a servlet container that implements the version
2.2 spec (and in particular the security constraints stuff), my answer would be
"you are trying to work to hard." Just let the servlet container's security
constraints deal with authentication and access checking.
In an environment where you want to (or must) do your own checking, it is not hard
to contemplate building a little custom tag of your own that checks the user's
session for a particular attribute key, and forward to your login page if it's
missing (either because the user tried to jump into the middle of your application,
or because the old session timed out). Role checking would make this custom tag
only slightly more complicated -- something like:
<mytags:checkLogin role="manager"/>
at the top of each page that needed "manager" role could also do the access control
checking for you, by looking at the properties of your user login object. Writing
your own custom tags is a pretty simple exercize -- especially since you can use
Struts for examples!
Doing this in a generic way (say, in Struts) would not be too tough for the simple
login check (just use servlet context attributes to define the attribute key to
look for, and the name of the login page to forward to). Doing the role check
generically would be somewhat tougher, because there is no generic way to say "what
roles does the current user have" unless you are using the servlet container's
authentication support, where you can call request.isUserInRole() to answer this
question.
>
> Furthermore, what I would really like to do, since my entire site is solid
> JSP now (other than a few static html pages) because I include the same
> header and footer on every page (using JSP include directives), I merely
> want all JSP pages to go on to the JSP Servlet..but I just want one central
> location for security reasons..so any JSP request allows my one servlet to
> make sure the page being accessed is allowed by the person accessing it.
That is exactly what the security constraints in the 2.2 spec are about -- making
it the container's responsibility to check this stuff, instead of the application's
problem.
In the mean time, just code a custom tag that does the checks you want, and include
it at the top of every JSP page, and you're done.
>
> Thanks for any info.
Craig McClanahan
===========================================================================
To unsubscribe: mailto [EMAIL PROTECTED] with body: "signoff JSP-INTEREST".
Some relevant FAQs on JSP/Servlets can be found at:
http://java.sun.com/products/jsp/faq.html
http://www.esperanto.org.nz/jsp/jspfaq.html
http://www.jguru.com/jguru/faq/faqpage.jsp?name=JSP
http://www.jguru.com/jguru/faq/faqpage.jsp?name=Servlets
